httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Holsman <i...@apache.org>
Subject Re: [RFC} mod_suexec... changing the ap_hook_get_suexec_identity
Date Tue, 06 Aug 2002 15:08:06 GMT
Ryan Bloom wrote:
>>From: Ian Holsman [mailto:ianh@apache.org]
>>
>>hi guys.
>>currently the hook takes a request_rec as a parameter.
>>
>>but from what I can see it only ever can be set at the server
>>level/vhost level.
>>
>>so .. if no one objects I'm going to change it to be passed a
>>server_rec* into or a
>>request_rec one.
>>
>>
>>affected files would be modules/generators/mod_suexec.c
>>&
>>unixd/unixd.c both of which have the server-rec.
>>
>>this change is to allow other things to start suexec'd things at
> 
> startup.
> 
> Why do you want to be able to start other suexec'd things at startup?
> Wouldn't the security model for SuExec make this complex?  For example,
> the program being run must be within the Apache web space.  Why would
> you want to run a program in that space at startup?
> 
for FastCGI.
it needs to spawn some procs which do CGI. so it suExec's the program 
which sits there for all the requests to use.



> If you do want to run a program at startup, won't it work to just suid
> the program you want to run?  The SuExec security model is tuned to
> being run at request time, and I want to be sure that we don't weaken
> that model to allow running SuExec at startup. 



> 
> Ryan
> 
> 




Mime
View raw message